Web Authentication is Disabled

last person joined: yesterday

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.

Back to discussions

Expand all | Collapse all

Web Authentication is Disabled

Jump to Best Answer

This thread has been viewed 10 times

1. Web Authentication is Disabled

0 Kudos
ascott
Posted May 21, 2014 06:27 PM

Reply Reply Privately
I need some help please. Guest users have been reporting a Web Authentication is Disabled error after authenticating to the CP page. Although they get the error they have successfully been put into the correct authenticated role and if they ignore this message they can browse the net. I am not sure when this started but its a global issue.

Recent changes

New SSL cert on all controllers for securelogins.fluor.com
Captive portal ACL change added two permit lines to the acl for CPPM. Tried taking these out had the same issue.
Changed AmigoPod to CPPM last night and I am not 100% sure but I was told this issue predates that change.

I was told Aruba support did some test with a test CP page and authentication role and everything works. Leads me to believe I have a configuration error. BTW this worked as is for a year plus on the same AOS.

Running AOS 6.1.3.7 on 70 controllers all models. Same issue globally able to reproduce.

aaa authentication captive-portal "amigopod"
   default-role "ShortTerm"   <<< one or two authenticated guest roles
   server-group "AmigoPods"
   login-page "https://guestaccess.fdnet.com/fluor_guestmanage_cert_login.php"

aaa server-group "AmigoPods"
auth-server AmigoPod
set role condition Filter-Id equals "ShortTerm" set-value ShortTerm <<<< David added these years ago when we installed AmigoPod. I dont think they are needed now with CPPM based on new setup Steve did. Not sure.
set role condition Filter-Id equals "LongTerm" set-value LongTerm <<<< David added these years ago when we installed AmigoPod. I dont think they are needed now with CPPM based on new setup Steve did. Not sure.
!

ip access-list session captiveportal
user   alias mswitch svc-https dst-nat 8081
user   alias controller svc-https dst-nat 8081
user   alias CPPM svc-http permit   <<<< Newer addition
user   alias CPPM svc-https permit <<<< Newer addition
user any svc-http dst-nat 8080
user any svc-https dst-nat 8081
user any svc-http-proxy1 dst-nat 8088
user any svc-http-proxy2 dst-nat 8088
user any svc-http-proxy3 dst-nat 8088

user-role Guest-Logon-AP <<< Unauthenticated initial role no changes worked for a year+
captive-portal "amigopod"
access-list session Guest-Logon-Policy
access-list session Guest-Printing
access-list session guest-pw-portal
access-list session captiveportal

user-role LongTerm <<< one or two authenticated guest roles
access-list session Guest-Logon-Policy
access-list session Guest-Printing
access-list session guest-pw-portal
access-list session cplogout
access-list session deny_LLMNR_acl
access-list session deny_mDNS_acl
access-list session deny_SSDP_and_UPnP_acl
access-list session deny_netbios_acl
access-list session inside-exceptions
access-list session Block-Inside-Networks-Policy
access-list session Guest-Access-Policy

user-role ShortTerm   <<< one or two authenticated guest roles
access-list session Guest-Logon-Policy
access-list session Guest-Printing
access-list session guest-pw-portal
access-list session cplogout
access-list session deny_LLMNR_acl
access-list session deny_mDNS_acl
access-list session deny_SSDP_and_UPnP_acl
access-list session deny_netbios_acl
access-list session inside-exceptions
access-list session Block-Inside-Networks-Policy
access-list session Guest-Access-Policy

(FLRFC01-Aruba01) #
(FLRFC01-Aruba01) #show user | include 08:70:45:ca:b5:ae
10.236.116.21   08:70:45:ca:b5:ae test@fc01.com     LongTerm           00:01:24    Web               FC01-TGUB12-AP01 Wireless IWL900/6c:f3:7f:3e:b6:00/g-HT   AAA-Guest-Logon        tunnel        iPhone

(FLRFC01-Aruba01) #
(FLRFC01-Aruba01) #
(FLRFC01-Aruba01) #
(FLRFC01-Aruba01) #
(FLRFC01-Aruba01) #
(FLRFC01-Aruba01) #
(FLRFC01-Aruba01) #show rights LongTerm

Derived Role = 'LongTerm'
Up BW:No Limit   Down BW:No Limit
L2TP Pool = default-l2tp-pool
PPTP Pool = default-pptp-pool
Periodic reauthentication: Disabled
ACL Number = 89/0
Max Sessions = 65535

access-list List
----------------
Position Name                          Location
-------- ----                          --------
1         Guest-Logon-Policy
2         Guest-Printing
3         guest-pw-portal
4         cplogout
5         deny_LLMNR_acl
6         deny_mDNS_acl
7         deny_SSDP_and_UPnP_acl
8         deny_netbios_acl
9         inside-exceptions
10        Block-Inside-Networks-Policy
11        Guest-Access-Policy

Guest-Logon-Policy
------------------
Priority Source Destination                Service   Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
-------- ------ -----------                -------   ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
1         user    any                        udp 68    deny                             Low                                                           4
2         user    Fluor-Approved-Public-DNS svc-dns   permit                           Low                                                           4
3         user    mswitch                    svc-icmp permit                           Low                                                           4
4         any     guest-gateways             svc-dhcp permit                           Low                                                           4
5         any     255.255.255.255            svc-dhcp permit                           Low                                                           4
6         any     any                        svc-dhcp deny                             Low                                                           4
Guest-Printing
--------------
Priority Source          Destination     Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
-------- ------          -----------     ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
1         guest-networks guest-printers any      permit                           Low                                                           4
2         guest-printers guest-networks any      permit                           Low                                                           4
guest-pw-portal
---------------
Priority Source Destination Service    Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
-------- ------ ----------- -------    ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
1         user    amigopods    svc-https permit                           Low                                                           4
2         user    amigopods    svc-http   permit                           Low                                                           4
cplogout
--------
Priority Source Destination Service    Action        TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
-------- ------ ----------- -------    ------        --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
1         user    mswitch      svc-https dst-nat 8081                           Low                                                           4
2         user    controller   svc-https dst-nat 8081                           Low                                                           4
deny_LLMNR_acl
--------------
Priority Source Destination      Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
-------- ------ -----------      ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
1         any     239.255.255.252 any      deny                             Low                                                           4
deny_mDNS_acl
-------------
Priority Source Destination Service   Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
-------- ------ ----------- -------   ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
1         any     any          udp 5353 deny                             Low                                                           4
deny_SSDP_and_UPnP_acl
----------------------
Priority Source Destination      Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
-------- ------ -----------      ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
1         any     239.255.255.250 any      deny                             Low                                                           4
2         any     239.255.255.253 any      deny                             Low                                                           4
deny_netbios_acl
----------------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
1         any     any          udp 137 deny                             Low                                                           4
2         any     any          udp 138 deny                             Low                                                           4
inside-exceptions
-----------------
Priority Source Destination             Service    Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
-------- ------ -----------             -------    ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
1         user    Fluor-Websense-Servers tcp 15871 permit                           Low                                                           4
2         user    mswitch                 svc-https permit                           Low                                                           4
3         user    10.25.2.38              svc-http   permit                           Low                                                           4
4         user    10.26.14.40             svc-http   permit                           Low                                                           4
5         user    10.252.149.190          any        permit                           Low                                                           4
Block-Inside-Networks-Policy
----------------------------
Priority Source           Destination      Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
-------- ------           -----------      ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
1         user             inside-networks any      deny                             Low                                                           4
2         inside-networks user             any      deny                             Low                                                           4
Guest-Access-Policy
-------------------
Priority Source Destination Service    Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
-------- ------ ----------- -------    ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
1         user    any          svc-http   permit                           Low                                                           4
2         user    any          svc-https permit                           Low                                                           4
3         user    any          any        permit                           Low                                                           4

Expired Policies (due to time constraints) = 0

(FLRFC01-Aruba01) #
2. RE: Web Authentication is Disabled

0 Kudos
ascott
Posted May 21, 2014 06:29 PM

Reply Reply Privately
BTW I have a case open on his and was told I am hitting a known bug but I refuse to accept that considering it all worked up to a short time ago. They are looking at captures. I searched the post here I dont see any that apply. It looks set up correctly. Looking for other ideas please.
3. RE: Web Authentication is Disabled

0 Kudos
EMPLOYEE

cjoseph
Posted May 21, 2014 06:59 PM

Reply Reply Privately
ascott,

There were a number of issues that caused that problem in the past, and it was intermittent. I have not seen it on the latest versions of code, however.
4. RE: Web Authentication is Disabled
Best Answer

1 Kudos
ascott
Posted May 21, 2014 10:21 PM

Reply Reply Privately
Issue resolved. It was related to the AmigoPod to CPPM upgrade. I was told the issue started before the upgrade but after more info collection that was not the case and it started after the upgrade.

Normally when we migrate from Amigopod to CPG, you need to modify the controller’s CP profile to point to “/guest” directory.
　
aaa authentication captive-portal "amigopod"
default-role "ShortTerm"
server-group "AmigoPods"
login-page https /guestaccess.fdnet.com / guest / fluor_guestmanage_cert_login.php

Hope this helps someone. Sure glad I didn't AOS upgrade 70 controllers per Aruba "bug" :-)
5. RE: Web Authentication is Disabled

0 Kudos
EMPLOYEE

cappalli
Posted May 21, 2014 06:29 PM

Reply Reply Privately
In your captive portal profile, do you have user authentication and/or guest authentication enabled?

Wireless Access

Web Authentication is Disabled

1. Web Authentication is Disabled

2. RE: Web Authentication is Disabled

3. RE: Web Authentication is Disabled

4. RE: Web Authentication is Disabled Best Answer

5. RE: Web Authentication is Disabled

4. RE: Web Authentication is Disabled
Best Answer